Wird diese Nachricht nicht richtig dargestellt, klicken Sie bitte hier.

Heuking Kühn Lüer Wojtek

Update Data Protection
IP, Media & Technology

No. 50 | 2019-01-22


Joint controllership in the integration of third-party website plug-ins - Concluding Opinion of the Advocate General to the ECJ on the "Facebook Like" button
Antje Münch, LL.M., Dr. Markus Klinger


The Court of Justice of the European Union (ECJ) must currently clarify whether and how website operators can legally integrate the so-called "Like" button of Facebook on their website (Case C-40/17). A German online retailer had integrated the "Facebook Like" button into their online shop. Due to the functionality of the "Facebook Like" button, personal information was transmitted to Facebook Ireland each time the website was visited, including the IP address. This transmission took place automatically with each visit, regardless of whether the user had clicked on the "Facebook Like" button or even had a user account on Facebook.

Verbraucherzentrale Nordrhein-Westfahlen e.V. (North Rhine-Westphalia Consumer Center) has filed a cease-and-desist injunction against the online retailer and is of the opinion that the integration of the "Facebook Like" button violates data protection regulations, for example alleging that the user’s consent is required for data processing. The website operatorwas also responsible for data protection, even if they include the "Facebook Like" button only on their website, but do not have any influence on the downstream data processing by Facebook. In the course of the proceedings, the Düsseldorf Higher Regional Court has therefore asked the ECJ, inter alia, whether the online retailer, who includes the "Facebook Like" button on their website, is a data controller of the data processing entailed.

Classification of the dispute

The lawsuit is part of a series of cases before the ECJ dealing with issues of joint controllership  in data processing. In June 2018, the ECJ had already decided that joint controllership existed between Facebook Ireland and the operator of a so-called "Facebook Fanpage" (see Case C-C-210/16, see our Update No. 39 of 2018).

Indeed, the questions submitted to the ECJ in the current proceedings concern the interpretation of the Data Protection Directive 95/46/EC, which was in force before the GDPR became effective. However, the pending decision of the European Court of Justice should also be applicable to the currently applicable provisions of the GDPR.

The answers to the questions have, according to the GDPR, far-reaching consequences for companies. Firstly, joint controllers for data processing under Art. 26 GDPR must agree on an arrangement on joint controllership and make the substance of this arrangement accessible to the data subjects. On the other hand, controllers are jointly and severally liable vis-à-vis data subjects. The failure to make such an arrangement ultimately entails significant fines.

On December 19, 2018, the Concluding Opinion of the Advocate General was published at the ECJ in the proceedings concerning the "Facebook Like" button. In his Concluding Opinion, the Advocate General makes a suggestion for the ECJ's ruling, which typically complies with such suggestion. It iss not yet known when the ECJ will make a decision.

Joint controllership

According to Article 26 (1) of the GDPR, several parties involved in data processing are to be considered as ‘joint controllers for data processing' when jointly determining the purposes and means of data processing. The key criterion for determining the responsibility of (joint) controllers is the actual impact on the processing purposes and means. In order for joint controllers to be responsible each party involved must have actual influence; however, this does not necessarily mean that the joint controllers have equal decision-making authority.

Integrating the "Facebook Like" button on a website is sufficient

In the Advocate General’s opinion, the threshold for assumption of joint controllership is very low. The Advocate General believes that the mere integration of the "Facebook Like" button and the commercial purposes pursued by those involved suffice to assume responsibility joint controllership.

Indeed, the website operator - unlike in the decision regarding the "Facebook fan page" - is not actively involved in the parameterization of the plug-in ("Facebook Like" button). It is sufficient, however, that the website operator participates in the parameterization by deliberately integrating the plugin on their website. Therefore, merely the integration is deemed (co-)decision-making on the means of data processing.

The common purpose of Facebook Ireland and the website operator is also apparent. Although there is no identical commercial use of personal information, Facebook Ireland and the website operator have pursued general commercial (advertising) purposes that complement each other. That alone is sufficient for the Advocate General to affirm the common definition of the purpose.

Limiting joint controllership to individual stages of processing

However, as a corrective measure to the mere integration of a plug-in being grounds for the assumption of joint controllership, the Advocate General limits joint controllership to the data-processing operations in which the website operator actually contributes to the decision on the means and purposes of data processing.

In the specific case, these are (only) the data collection and transmission to Facebook Ireland. All downstream data processing by Facebook Ireland is the sole responsibility of the same. The website operator is therefore not a controller of the entire chain of all data processing.

Conclusion

The Advocate General confirms in his Concluding Opinion what many feared after the "Facebook Fanpage" decision: The threshold for assuming joint controllership is low. All it takes is the integration of a third-party plug-in on a website that collects and transmits personal information. If the ECJ agrees with the Concluding Opinion of the Advocate General in its ruling, which is generally to be expected, joint controllership will not only apply when integrating a "Facebook Like" button. According to the Advocate General, the integration of other social media plugins (e.g., Xing, Twitter, Instagram, etc.) is likely to trigger joint controllership of the website operator together with the respective plug-in provider as well. However, it is not only so-called social plug-ins that are affected. In the case of website analysis tools and other third-party data-mining tools and content, the question of whether or not they trigger joint controllership will arise in the future well, since providers of such tools typically use the collected data for commercial purposes as well.

Practical notes

If the ECJ agrees with the Advocate General's Concluding Opinion, then companies must review thoroughly whether there is joint controllership before integrating plug-ins and other third-party tools and content on their website. If this question is answered in the affirmative, it remains to be determined for which specific phases of data processing joint controllership exists.

First and foremost, in order to avoid the risk of fines, companies must ensure that there is a sufficient legal basis for data processing via the integrated tool (in particular, consent). An agreement regarding joint controllership is to be concluded with the provider of the plug-in or tool, and the substance of the agreement must be accessible to the data subjects (users). Should the ECJ decide as the Advocate General envisages, it can be expected that corresponding standard agreements will be made available by the major providers (e.g., Facebook).


Authors
Heuking Kühn Lüer Wojtek

Antje Münch, LL.M. is a salaried partner and a lawyer at Heuking Kühn Lüer Wojtek and member of the practice group IP, Media & Technology.


Heuking Kühn Lüer Wojtek

Dr. Markus Klinger is a partner and a lawyer at Heuking Kühn Lüer Wojtek and member of the practice group IP, Media & Technology.


Contact

T +49 211 600 55-168
F +49 211 600 55-160
E datenschutz@heuking.de

Visit our Website with focus on Data Protection Law:
Microsite Data Protection

Task Force Data Protection
Heuking Kühn Lüer Wojtek
Dr. Christian Appelbaum
Heuking Kühn Lüer Wojtek
Dr. Ubbo Aßmus
Heuking Kühn Lüer Wojtek
Felix Drefs
Heuking Kühn Lüer Wojtek
Alexa Finke
Heuking Kühn Lüer Wojtek
Regina Glaser, LL.M.
Heuking Kühn Lüer Wojtek
Torsten Groß, LL.M.
Heuking Kühn Lüer Wojtek
Anne Heisig
Heuking Kühn Lüer Wojtek
Maike Katharina Hinz
Heuking Kühn Lüer Wojtek
Britta Hinzpeter, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Thomas Jansen
Heuking Kühn Lüer Wojtek
Dr. Philip Kempermann, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Lutz Martin Keppeler
Heuking Kühn Lüer Wojtek
Dr. Markus Klinger
Heuking Kühn Lüer Wojtek
Michael Kuska, LL.M., LL.M.
Heuking Kühn Lüer Wojtek
Astrid Luedtke
Heuking Kühn Lüer Wojtek
Marcel Maybaum
Heuking Kühn Lüer Wojtek
Antje Münch, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Søren Pietzcker, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Wolfgang G. Renner, LL.M.
Heuking Kühn Lüer Wojtek
Dr. Dirk Stolz
Heuking Kühn Lüer Wojtek
Dr. Frederik Wiemer
Heuking Kühn Lüer Wojtek
Dr. Florian Winzer
Heuking Kühn Lüer Wojtek
Dr. Hans Markus Wulf




I want to
unsubscribe

subscribe









Heuking Kühn Lüer Wojtek
© 2019 Heuking Kühn Lüer Wojtek

PartGmbB von Rechtsanwälten und Steuerberatern*
Georg-Glock-Str. 4, 40474 Düsseldorf

* Data protection information / register details / list of partners: www.heuking.de

Information on how Heuking Kühn Lüer Wojtek handles your personal data,
the purposes for processing your data, the legal basis for processing,
and on your rights can be found at www.heuking.de.

datenschutz@heuking.de